Set up a federated provider service account
Before you define a remote Splunk platform deployment as a federated provider, create a service user account on that remote deployment. This service account enables secure communication between the federated search head on your local deployment and the federated provider.
To set up a service account, follow these steps on the remote Splunk platform deployment that you intend to configure as a federated provider. Follow the documentation links for the type of federated provider you are working with: Splunk Cloud Platform or Splunk Enterprise.
|Step||More information||Splunk Cloud Platform documentation||Splunk Enterprise documentation|
|Create a new role||This role will be dedicated to the service account for the federated provider. Do not give it to other users or entities.
As you design this role, implement role-based restrictions that ensure that this service account role can access only the indexes and datasets that should be available for federated searches. It should inherit its baseline capabilities from the User role.
|See Manage Splunk Cloud roles in the Splunk Cloud Admin Manual.||See Create and manage roles with Splunk Web in Securing the Splunk Platform.|
|Create a new user and assign the role to it||This user is the service account for the federated provider. Assign the role you created in the first step to this service account.||See Manage Splunk Cloud users in the Splunk Cloud Admin Manual.||See Create and manage users with Splunk Web in the Securing the Splunk Platform manual.|
|Save a record of the user ID and password for the service account||You need these credentials for the Service Account Username and Service Account Password fields when you configure the remote Splunk platform deployment as a federated provider.|
For more information about defining federated providers through the Add Federated Provider page in Splunk Web, see Define a federated provider.
Migrate from hybrid search to federated search
Determine which knowledge objects are applied to federated searches
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2105 (latest FedRAMP release), 8.2.2106